<pre>Larry Seltzer wrote:<br><br>>>And how exactly do you propose to "leave out the details and PoC" when the<br></pre>
<pre>>>presence of the bug and the steps taken to fix it can not be concelaed from<br>>>public view given that the source code and the entire CVS entries are freely<br>>>available for anyone to browse?<br>
<br>>You really don't think it woudl slow them down?<br><br>who is "them" ?<br>And you want to slow "them" down from doing... what?<br><br>Maybe it is not evident to you that a source code diff between vulnerable and
<br>non-vulnerable versions of a software package is enough information to figure<br>out all the details needed to identify and trigger the bug and to write an exploit<br>for it it. After all, you are not suppossed to know this right? You're the security
<br>center editor for eWeek not some hardcore software developer or security expert.<br><br>Hell, not even a source code diff is necessary anymore, a binary patch is<br>sufficient to identify the bug and develop an exploit for it.
<br><br>So there! Thats some newsworthy information for your prestigious magazine maybe<br>you should seek clearance from your sponsors to write about it. It will sell <br>a bunch more copies.<br><br>Trust me! THIS IS HOT NEWS
<br><br>Meanwhile, I am still waiting for your proposal for a way to leave out details and <br>PoC for vulnerabilities found in open source projects.<span class="moz-txt-citetags"><br><br>>></span>The proposal for obscurity serves well closed-source innitiatives and
<br><br></pre>
<pre>>>development processes that have limited or no public visibility but it fails<br>>>in the presence of OSS. The "responsible disclosure" advocates act as if<br>>>Linux,*BSD,Mozilla and a zillion other open source projects did not exist in
<br>>>reality.<br><br>>The Mozilla team obviously disagrees with you, since they do try to hide<br>>unresolved security problems, at least until (as in this case) the beans get<br>>spilled in some other way.
<br><br>Hmm may be... but then again how is that different from MSRC then?<br>In any case, I can not say how the Mozilla or other OSS development<br>teams work and if they do try to hide security vulnerabilities or not but what
<br>I can do is browse their CVS tree and bug tracking system:<br><br><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=307259">https://bugzilla.mozilla.org/show_bug.cgi?id=307259</a><br><br>So what I read in the publicly available bug entry above does not support your
<br>theory, perhaps you have some secret 3l337 knowledge about how the team<br>really works WRT security flaws that you want to share with the list?<br><br>uhm no wait I forgot...<br><br>not talking about this will slow THEM down
<br><br><br></pre>